CVE-2020-24432 MEDIUM

CVE-2020-24432: Acrobat Reader DC Arbitrary JavaScript Execution in PDF Documents

Vendor Adobe

Product Acrobat Reader

Weakness CWE-20 · Input validation

Published November 5, 2020

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

6.7/10

Attack vector Local

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

Description

Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) and Adobe Acrobat Pro DC 2017.011.30175 (and earlier) are affected by an improper input validation vulnerability that could result in arbitrary JavaScript execution in the context of the current user. To exploit this issue, an attacker must acquire and then modify a certified PDF document that is trusted by the victim. The attacker then needs to convince the victim to open the document.

Key dates

Disclosure timeline

November 5, 2020 CVE published

September 17, 2024 Record updated

Identifiers

CVE CVE-2020-24432

CWE CWE-20

CVSS 6.7 / MEDIUM

Affected versions

Vendor Adobe

Product Acrobat Reader

Affected ≥ unspecified and ≤ 2017.011.30175

Vendor Adobe

Product Acrobat Reader

Affected ≥ unspecified and ≤ 2020.012.20048

Vendor Adobe

Product Acrobat Reader

Affected ≥ unspecified and ≤ 2020.001.30005

Vendor Adobe

Product Acrobat Reader

Affected ≥ unspecified and ≤ None